There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a system profile store; and a ransomware detection engine including instructions encoded within the memory to instruct the processor to: detect an operation, by a process, that results in an operation on a file, wherein the operation includes newly creating the file including a file type identifier, or where the file is an existing file, changing a file type identifier for the file; querying the system profile store with a combination of the file type identifier and metadata about the file; based at least in part on the querying, determining that the process is a suspected ransomware attack; and taking a remedial action.
Legal claims defining the scope of protection, as filed with the USPTO.
2. The computing apparatus of claim 1, wherein at least some filename extensions follow a final dot (“.”) in a file's name.
3. The computing apparatus of claim 1, wherein the four-byte sequences are a first four bytes of a file.
4. The computing apparatus of claim 1, wherein the instructions are further to exclude a based on determining that the first filename extension for the changed file is included in an ignore list.
5. The computing apparatus of claim 1, wherein the instructions are further to use characters following a penultimate dot (“.”) as a filename extension.
6. The computing apparatus of claim 1, wherein determining that the process has changed an existing file comprises comparing a hash of the first four-byte sequence to a hash of the second four byte sequence.
7. The computing apparatus of claim 1, wherein the identifying information comprises a hash of a four byte sequence.
8. The computing apparatus of claim 1, wherein the data structure further comprises heuristic data for the computing apparatus.
9. The computing apparatus of claim 1, wherein the ransomware remediation action comprises isolating the computing apparatus by disabling a network interface.
10. The computing apparatus of claim 1, wherein the instructions are further to query a cloud security service with metadata about the computing apparatus and the process.
12. The one or more tangible, nontransitory computer-readable storage media of claim 11, wherein at least some filename extensions follow a final dot (“.”) in a file's name.
13. The one or more tangible, nontransitory computer-readable storage media of claim 11, wherein the four-byte sequences are a first four bytes of a file.
14. The one or more tangible, nontransitory computer-readable storage media of claim 11, wherein the instructions are further to exclude a file based on determining that the first filename extension for the changed file is included in an ignore list.
15. The one or more tangible, nontransitory computer-readable storage media of claim 11, wherein the instructions are further to use characters following a penultimate dot (“.”) as a filename extension.
16. The one or more tangible, nontransitory computer-readable storage media of claim 11, wherein determining that the process has changed an existing file comprises comparing a hash of the first four-byte sequence to a hash of the second four byte sequence.
17. The one or more tangible, nontransitory computer-readable storage media of claim 11, wherein the identifying information comprises a hash of a four byte sequence.
18. The one or more tangible, nontransitory computer-readable storage media of claim 11, wherein the data structure further comprises heuristic data for a computing apparatus.
20. The method of claim 19, further comprising determining that the suspicious file extension is a file type extension not found in the system profile.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
December 12, 2019
December 20, 2022
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.